Privacy Policy
Privacy notice (UK Clients)
Last updated: 30th August 2024
KGray Counselling is a business operated by Katie Gray MNCPS (Acc). Under the Data Protection Act 2018, I am a “data controller”. This means that I am responsible for deciding how I hold and use the personal information I hold about you.
What is the purpose of this information?
I recognise that you trust me with your personal information and I take my data protection responsibilities seriously. This privacy notice explains how I handle any personal information about you, and provides you with certain information that must be provided under law.
How I collect information about you
I collect information (including contact information) from you during calls and by email when discussing your needs. If you become a client, I make written notes of our sessions (although I use reasonable efforts not to include identifiable information in those notes such as your name). I will also hold a brief, password-protected electronic record about you during the period you are a client and for five years after the end of therapy which includes your name, email address, phone number, the number of sessions we have had and your GP details.
As a general policy, I keep written (whether electronic or otherwise) records containing personal information to a minimum and regularly delete emails and documents where there is no legal or business need to retain that information. My insurance company requires that I keep some notes for
a period of 5 years after the end of counselling or therapy. This means that I cannot erase certain information I hold about you in that period.
The kind of information I hold about you I collect, store, and use the following categories of personal information about you:
• the information you provide to me when you initially contact me (typically name, email and telephone number);
• the information you provide to me in your introductory call; and
• if you become a client, the information you provide to me in your in client sessions and any communications between sessions.
I may also collect, store and use the following “special categories” of more sensitive personal information if you provide it to me (but there is no obligation for you to do so): (i) information about your race or ethnicity, religious beliefs, marital status, and sexual orientation; (ii) information about your health, including any medical condition, health and sickness records; or (iii) information about criminal convictions and offences.
How do I use your personal information?
The main purpose for using your personal information is to provide services to you under contract. I will never provide your personal details to a third party without your consent except in the following circumstances:
• I discuss all of my clients in clinical supervision. In such circumstances, I will use your first name but will keep identifying information about you to a minimum. My supervisors are members of either the BACP or NCPS and bound by the codes of ethics of those organisations.
• I may undergo courses and/or seek further stages of accreditation with my existing or further professional membership bodies for counselling and psychotherapy. In such cases, I may need to write case studies and provide transcripts of recordings. For clinical supervision, I may also seek to reflect on specific aspects of sessions with my supervisor(s) based on recording(s) and/or transcript(s) of sessions. In all such cases, I will ask for your consent to recording and transcription in advance and there will be a separate audio recording consent form detailing what I do with the recording(s) and transcript(s) of sessions.
• I may use individual consultants for administrative purposes (for example, if I engage a bookkeeper or accountant, there is a possibility that individual may see your name as part of checking invoices). If so, I have a contract with those individuals which places restrictions on when and how they can access your personal information. I do not allow them to use your personal data for their own purposes. I only permit them to process your personal data for specified purposes and in accordance with my instructions.
• I use third party software (Gmail) which will capture certain information about you when you contact me or book a session. My contract with those companies places restrictions on when and how they can access your personal information.
This is set out in their own privacy policy.
• In rare circumstances, to my legal professional advisors and / or underwriters in the context of seeking legal advice or in the context of legal action.
• Where I am required by law, including by court order.
• As stated in our contract, if I reasonably believe that you or someone else is at serious risk of harm, I may contact a third party for the purpose of preventing harm (for example, by ringing 999, contacting your GP or the police).
• I have a clinical will in the event of my incapacitation or death. In those circumstances I have appointed a trustee who is a therapist who will be able to contact you. Your details are held securely by an online Clinical Will platform for this purpose.
​
How long do I keep personal information?
If you become a client, I keep your personal information for as long as you remain a client and for 5 years thereafter except where there is a legal, insurance or accounting need to retain the information for longer (for example, I keep financial information such as invoices for a period of 7 years). If you approach me but do not become a client, I will retain personal information you provide for no more than six months. I keep your personal information for these periods for my ‘legitimate business interest’, which means a reasonable use in line with my business activities. I also retain your personal information for that period so that I can show, in the event of a legal or other claim, that I have acted in a lawful and transparent way.
​
Your rights
Where I have asked for your consent to process personal information, you have the right to withdraw your consent. However, I do not typically ask for your consent to use personal information about you as I use your personal information in order to provide services to you under contract and for legitimate business purposes. Under certain circumstances, by law you have the right to:
• Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information I hold about you and to check that I am lawfully processing it.
• Request correction of the personal information that I hold about you. This enables you to have corrected any incomplete or inaccurate information I
hold about you.
• Request erasure of your personal information. This enables you to ask me to delete or remove personal information where there is no good reason for me continuing to process it. You also have the right to ask me to delete or remove your personal information where you have exercised your right to object to processing (see below).
• Request the restriction of processing of part or all of your personal information. This can include asking me to stop processing your information for a particular period of time.
• Request the transfer of your personal information to another party.
If you want to exercise any of these rights, please contact me in writing (which can be by email). Please be aware that I may nonetheless be required to keep some of
your personal information for legal or insurance reasons.
How I protect your personal information
I store your personal information using secure physical safeguards and secure IT systems (e.g. password protected computers, back-up drive and systems). Your personal information is contained in a password-protected file on a hard drive and a single back-up drive. I do not store your personal details online except where personal information is included in emails or text messages between us. Client notes are hand-written and stored in a locked storage device. Your personal information may also be included in emails or text messages between us, in the Clinical Will platform and in the Calendly app if you book sessions online. Access to these are password protected.
In addition, I limit access to your personal information to those individuals who have a business need-to-know. They will only process your personal information on my
instructions and they are subject to a duty of confidentiality. I have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where I am legally required to do so.
​
Contacting me
If you have any questions about this privacy notice or how I handle your personal information, please contact kgray.counselling@gmail.com
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues.